feat(vault): switch to Kubernetes service registration (#171)

Replaces Consul service registration with the native Kubernetes provider so Vault labels its own pods with active/standby/perf-standby status without requiring a Consul dependency.

## Changes
- `values.yaml`: swap `service_registration "consul"` for `service_registration "kubernetes" {}`, add `VAULT_K8S_NAMESPACE` and `VAULT_K8S_POD_NAME` env vars via downward API
- `role_k8s-service-registration.yaml`: Role + RoleBinding granting the `vault` service account `get`/`update`/`patch` on pods
- `kustomization.yaml`: include new RBAC file

Reviewed-on: #171
This commit was merged in pull request #171.
This commit is contained in:
2026-05-26 00:06:56 +10:00
parent d358098fff
commit 3990fbfe06
3 changed files with 34 additions and 3 deletions
+1
View File
@@ -6,3 +6,4 @@ resources:
- namespace.yaml - namespace.yaml
- gateway.yaml - gateway.yaml
- httproute.yaml - httproute.yaml
- role_k8s-service-registration.yaml
@@ -0,0 +1,24 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: vault-k8s-service-registration
namespace: vault
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: vault-k8s-service-registration
namespace: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vault-k8s-service-registration
subjects:
- kind: ServiceAccount
name: vault
namespace: vault
+9 -3
View File
@@ -40,9 +40,7 @@ server:
} }
} }
service_registration "consul" { service_registration "kubernetes" {}
address = "consul-server.consul.svc.cluster.local:8500"
}
dataStorage: dataStorage:
enabled: true enabled: true
@@ -50,6 +48,14 @@ server:
storageClass: cephrbd-fast-delete storageClass: cephrbd-fast-delete
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
extraEnv:
- name: VAULT_K8S_NAMESPACE
value: vault
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
statefulSet: statefulSet:
securityContext: securityContext:
container: container: